New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rootless cgroup support #1

Closed
wants to merge 38 commits into
base: rootless-containers
from

Conversation

Projects
None yet
3 participants
@brauner

brauner commented Jun 9, 2016

This is a first pass at implementing cgroup support with unprivileged containers.

cyphar added some commits Apr 23, 2016

libcontainer: configs: namespaces: clean up the API
It doesn't make sense to use pointers for operations that do not modify
the structure. In addition, it makes code harder to write for no good
rearson.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: nsexec: rework user namespace setup
In order to allow for unprivileged setup of user namespaces, we have to
do a fairly odd dance of unshare() and then clone(). This same dance
does not work for when the container is being set up by a privileged
user, so we have to conditionally set this up.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
*: add support for rootless containers
This enables the support for the rootless container mode. There are
certain restrictions on what non-root users can do, resulting in several
runC features not being used. There are no checks in place at the moment
to make this clear to users.

* All cgroup operations require having CAP_SYS_ADMIN in the root user
namespace. This means that we cannot set up *any* cgroups, or join
cgroups. This can be circumvented by having the user own the current
cgroup [this mode is currently not implemented].

* setgroups(2) cannot be used in a non-privileged user namespace setup,
so we have to hard fail if for some reason we decide that we need
setgroups(2) enabled.

* We cannot map any user other than ourselves in a rootless container,
which means that any user-related directives won't work. You can only be
"root".

Signed-off-by: Aleksa Sarai <asarai@suse.de>
*: add support for exec of rootless container
Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: save whether the container is rootless in state.json
This is necessary to maintain consistency in how rootless containers are
treated (especially with runc exec, where we have to make sure we follow
the requirements of rootless containers even though we might be running
in a different context).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: set is_rootless via netlink to nsenter
Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: rename all "notroot" references to "rootless"
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: produce error if user tries to set additional groups
Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: rootfs: use CleanPath when comparing paths
Comparisons with paths aren't really a good idea unless you're
guaranteed that the comparison will work will all paths that resolve to
the same lexical path as the compared path.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: nsenter: fallback #define CLONE_NEWUSER
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: add rootless validator for config
This makes the errors caused by permission errors much more useful to
the user.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: add rootless cgroup manager
The rootless cgroup manager acts as a noop for all set and apply
operations. It is just used for rootless setups.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: error out if a user tries to run as a non-root user
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: make rootless part of configs.Config
This makes a lot of the other code much simpler to refactor. In
addition, it allows us to make specconv not generate any output it
shouldn't.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: clean up mapping checks and validation
Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: cgroups: rename Get*CgroupDir to Get*Cgroup
This is a correctness thing, since the actual "path" returned by
those functions is the path of the cgroup in the hierarchy -- but it's
not the path or directory in the traditional sense.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
libcontainer: cgroups: store cgroup paths in rootless cgroup
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: error out if attempting to checkpoint rootless container
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: add tests for config validation
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: add specconv tests for generated configs
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: add autogenerated rootless config from `runc spec`
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: make rootless example have internet access
Signed-off-by: Aleksa Sarai <asarai@suse.de>
integration: added root requires
Signed-off-by: Aleksa Sarai <asarai@suse.de>
list: handle unreadable containers
Signed-off-by: Aleksa Sarai <asarai@suse.de>
tests: add rootless integration tests
This adds targets for rootless integration tests, as well as all of the
required setup in order to get the tests to run. Unfortunately, due to
long-standing runC issues with consoles and user namespaces we cannot
currently enable these tests by default.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: cr: explicitly error out if not root
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: cgroups: verify configuration in Set()
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: disable getting events
Signed-off-by: Aleksa Sarai <asarai@suse.de>
rootless: tests: disable events tests
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Show outdated Hide outdated spec.go Outdated
Show outdated Hide outdated libcontainer/cgroups/fs/apply_raw.go Outdated
Show outdated Hide outdated libcontainer/cgroups/fs/apply_raw.go Outdated
@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Jun 10, 2016

Owner

Overall, I like it. Just need to iron out some of the odd edges wrt all of the weird usecases with cgroups.

Owner

cyphar commented Jun 10, 2016

Overall, I like it. Just need to iron out some of the odd edges wrt all of the weird usecases with cgroups.

@brauner

This comment has been minimized.

Show comment
Hide comment
@brauner

brauner Jun 10, 2016

@cyphar, sure. I'll answer you tomorrow!

brauner commented Jun 10, 2016

@cyphar, sure. I'll answer you tomorrow!

Show outdated Hide outdated libcontainer/cgroups/fs/apply_raw.go Outdated
remember whether cgroup manager is unprivileged
Signed-off-by: Christian Brauner <cbrauner@suse.com>
@@ -0,0 +1 @@
Subproject commit d4feaf1a7e61e1d9e79e6c4e76c6349e9cab0a03

This comment has been minimized.

@cyphar

cyphar Jun 14, 2016

Owner

We don't use subprojects for vendoring in runC. We use godep (which copies the full repo source and then removes files not needed for compilation). Unfortunately, godep is not a very good tool so it might be a bit of a pain to use.

@cyphar

cyphar Jun 14, 2016

Owner

We don't use subprojects for vendoring in runC. We use godep (which copies the full repo source and then removes files not needed for compilation). Unfortunately, godep is not a very good tool so it might be a bit of a pain to use.

This comment has been minimized.

@brauner

brauner Jun 14, 2016

Yeah, I tried that but I didn't get it to work. Somehow it really messed up my repo when I did godep get ... and godep save ...

@brauner

brauner Jun 14, 2016

Yeah, I tried that but I didn't get it to work. Somehow it really messed up my repo when I did godep get ... and godep save ...

This comment has been minimized.

@cyphar

cyphar Jun 14, 2016

Owner

I'll jump on a common ssh session with you on Friday. I can go through some of the oddities that is the runC repo setup then.

@cyphar

cyphar Jun 14, 2016

Owner

I'll jump on a common ssh session with you on Friday. I can go through some of the oddities that is the runC repo setup then.

This comment has been minimized.

@brauner

brauner Jun 14, 2016

+1. I'll push a version now that addresses some of the things we discussed.

@brauner

brauner Jun 14, 2016

+1. I'll push a version now that addresses some of the things we discussed.

brauner added some commits Jun 8, 2016

only join writeable cgroups
Signed-off-by: Christian Brauner <cbrauner@suse.com>
use Cgroupfs manager with unprivileged containers
Signed-off-by: Christian Brauner <cbrauner@suse.com>
move CanWrite() to utils
Signed-off-by: Christian Brauner <cbrauner@suse.com>
add IsZero()
IsZero() allows to check whether any resource restrictions have been requested.
If we are rootless we can then check whether resource restriction is requested
for a non-writeable cgroup and error out.

Signed-off-by: Christian Brauner <cbrauner@suse.com>
setting resource limits: check during Apply()
Check during Apply() if resource restrictions are requested that we cannot
fulfill during Set() because we are not in a writeable cgroup.

Signed-off-by: Christian Brauner <cbrauner@suse.com>
fail if we cannot Set() resources
If we are requested to restrict resources but cannot do so we fail.

Signed-off-by: Christian Brauner <cbrauner@suse.com>
@frezbo

This comment has been minimized.

Show comment
Hide comment
@frezbo

frezbo Dec 31, 2017

@cyphar any future plans on this PR?

frezbo commented Dec 31, 2017

@cyphar any future plans on this PR?

@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Dec 31, 2017

Owner

@frezbo This has been solved upstream in opencontainers#1540 -- this work was the previous version of that. I'll close it now.

Owner

cyphar commented Dec 31, 2017

@frezbo This has been solved upstream in opencontainers#1540 -- this work was the previous version of that. I'll close it now.

@cyphar cyphar closed this Dec 31, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment